Page MenuHomePhabricator
Create Task
Maniphest T104372

Strengthen password policy for Ombudsmen
Closed, ResolvedPublic
Actions

Description

After T94774, we can define password policies based on group membership.

Users in the Ombudsmen group (https://meta.wikimedia.org/wiki/Special:GlobalGroupPermissions/ombudsman) have access to checkuser data globally. An account compromise could impact the privacy of our users.

My proposal is setting an 8-byte minimum length (users will be prompted to change their password on login) in the near term, and then require 8-byte minimum passwords to login after users have had time to update their passwords.

Details

SubjectRepoBranchLines +/-
Enforce same password policy for ombudsman as for checkuser et aloperations/mediawiki-configmaster+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

csteipp created this task.Jun 30 2015, 7:09 PM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added projects: Security-General, Security-Team.
csteipp added subscribers: csteipp, Aklapper.
csteipp renamed this task from Strengthen password policy for Ombudsmen to Strengthen password policy for Checkusers.Jun 30 2015, 7:14 PM
csteipp updated the task description. (Show Details)
csteipp set Security to None.
csteipp renamed this task from Strengthen password policy for Checkusers to Strengthen password policy for Ombudsmen.Jun 30 2015, 7:16 PM
csteipp updated the task description. (Show Details)
csteipp mentioned this in T94774: Password policies by group.Jun 30 2015, 7:21 PM
Ricordisamoa subscribed.Jun 30 2015, 9:03 PM
Trijnstel subscribed.Jul 20 2015, 9:53 PM
Dzahn added a subtask: T94774: Password policies by group.Oct 16 2015, 9:34 PM
revi subscribed.Dec 11 2015, 12:09 AM
Restricted Application added a subscriber: StudiesWorld. · View Herald TranscriptDec 11 2015, 12:09 AM
gerritbot subscribed.Oct 31 2016, 3:44 PM

Change 318948 had a related patch set uploaded (by Reedy):
Enforce same password policy for ombudsman as for checkuser et al

https://gerrit.wikimedia.org/r/318948

gerritbot added a project: Patch-For-Review.Oct 31 2016, 3:44 PM
gerritbot added a comment.Oct 31 2016, 3:47 PM

Change 318948 abandoned by Reedy:
Enforce same password policy for ombudsman as for checkuser et al

Reason:
Actually already done

https://gerrit.wikimedia.org/r/318948

Reedy closed this task as Resolved.Oct 31 2016, 3:47 PM
Reedy assigned this task to csteipp.
Reedy subscribed.
	// See [[m:Requests_for_comment/Password_policy_for_users_with_certain_advanced_permissions]]
	foreach ( [ 'global-sysop', 'global-interface-editor', 'wmf-researcher',
		'new-wikis-importer', 'ombudsman', 'founder' ] as $group
	) {
		$wgCentralAuthGlobalPasswordPolicies[$group] = [
			'MinimalPasswordLength' => 8,
			'MinimumPasswordLengthToLogin' => 1,
			'PasswordCannotMatchUsername' => true,
			'PasswordCannotBePopular' => 10000,
		];
	}

Already done too

sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Jun 11 2019, 7:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL